CVE-2025-69516

Published: Jan 29, 2026

Modified: Jan 29, 2026

PUBLISHED

Description

A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager permissions to achieve remote command execution on the server. This occurs due to improper sanitization of the template_md parameter, enabling direct injection of Jinja2 templates. This occurs due to misuse of the generate_html() function, the user-controlled value is inserted into `env.from_string`, a function that processes Jinja2 templates arbitrarily, making an SSTI possible.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/amidaware/tacticalrmm

https://www.amidaware.com/

https://gist.github.com/NtGabrielGomes/7c424367cc316fd7527f668ff076fece

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-69516

Description

Affected Products

References